jeudi 13 décembre 2012

[SCCM 2007] [SCCM 2012] Computer Accounts behavior in Collections

Your probably noticed some changes between SCCM 2007 and SCCM 2012 on the computer accounts behaviors in collections mainly during computers re-installation or accounts deletions.

In this article, I'll give you some results from my own experience.

Before starting, I would like to tell you about how SCCM 2007 and SCCM 2012 handle computer accounts in a Collection. You probably know the "GUID" or the "SMS Unique Identifier" called "Configuration Manager Unique Identifier" in SCCM 2012. This ID is used to identify the client, however, for internal management, SCCM uses another field called "Resource ID".

Properties for a SCCM 2007 client

Let's look at the Collection_Rules table, to understand how rules are stored in SCCM. In this case, I created a direct rule :

However "Resource ID" can be changed even if the client GUID is the same.

Computer Refresh
In this scenario, Windows XP, 7 or 8 is working on the client computer and OSD task sequence is launched. Data and configuration are saved during first steps.

With SCCM 2007, Resource ID is the same before and after the task sequence. Computer account remains in the same collections and advertisements are applied again.

With SCCM 2012,Resource ID is regenerated. If you created direct rules, collection attachments are lost !

There is a problem with direct rules in SCCM 2012 without SP :
If you check the collection properties, you can confirm that the computer account is still registered. However, the computer account never appears in the collection.

...look what happens with the other scenarios.

New Installation
In this scenario, the computer boots directly on WinPe (PXE, CD, USB key...).

In SCCM 2007 in native mode and in SCCM 2012, Resource ID is the same before and after the task sequence. Computer account remains in the same collections and advertisements are applied again.

In SCCM 2007 in mixed mode, a new computer account is created with a new Resource ID. The previous computer is marked as obsolete. In the console, depending on you settings, you can merge manually the two accounts to attach the new account to the last account collections.

Account suppressed and recreated (thanks to Heartbeat Discovery) :
In this scenario, you just remove the computer account. The computer account is recreated few time later during heartbeat discovery.

Both in SCCM 2007 and SCCM 2012, the new computer account is recreated with a new Resource ID.

In SCCM 2007, direct rules are removed.
In SCCM 2012 without SP, direct rules are not correctly handled. As for "computer Refresh", you still see your direct rules, but the computer account
never appears in the collection.

So What's wrong with direct rules in SCCM 2012 without SP ?
Let's look at the database again : The Resource ID has been incremented to 16777219...

..., however the direct rules always point to the old Resource ID (16777218).

There is no obsolete account functions... To solve that situation, you need to :
- Remove your old direct rules
- Click on Apply. Otherwise, your new direct rule will still point to the previous Resource ID...
- Recreate your direct rules